Trustwave File Type Release Notes
Last Revision:
January 15, 2019
The File Type module is used by by Trustwave Content Security products
(SEG, ECM, and WebMarshal). Updates are made available for recent versions through the Automatic
Updates service. Each product release includes the current update of File Type.
For details of the File Type versions published for each product version, see
Trustwave Knowledgebase article
Q20446 (SEG/ECM) or
Q21078 (WebMarshal).
Note: File extensions are provided in this document for
reference only. File Type recognizes files based on their structure and not by
the file name or extension.New Features
For more information about additional minor features and bug fixes,
see the
release history.
Features new in 8.2.1
- File Type DLL 8.2.1 must be used with Unpacker DLL
8.2.0 or above
- This requirement is to ensure that XML files unpacked
from Office documents are correctly handled.
- Additional types recognized
- Encrypted PowerPoint 2003 files (.PPT and
.PPS, logged as PPTcrypt and PPScrypt)
- Shapefile files (.SHP) and Shapefile Index
files (.SHX)
- VBScript (.VBS)
- Quickbooks Company files (.QBW)
Features new in 8.2.0
- A new group is included for Azure IRM protected documents
- Additional types recognized
- Azure RMS Restricted Permission Message
(RPMSG)
- Azure RMS Restricted Permission File (PFILE)
- Decrypted Azure RMS Restricted Permission
File (RPMSGPlain)
- MSIX packaging files (.MSIX)
- OCSP response files (additional .DER files)
- Password protected Excel document with IRM
- Password protected PowerPoint Presentation
with IRM
- Password protected PowerPoint Show with IRM
- Password protected Word document with IRM
- Powerpoint show with IRM (.PPS or .PPSX)
- XML files (previously recognized as text)
- Zip64 (extension to .ZIP for larger files)
Features new in 8.0.1
- Additional types recognized
- 7Zip Encrypted Archive (recognized
separately from malformed or corrupt files that
cannot be opened)
- dBase Memo Field File (.DBT)
- dBase Multiple Index File (.MDX, logged as
MDXdBase)
- Extended Media Descriptor (.MDX, logged as
MDXMedia)
- Python Bytecode Type (.PYC)
- MATLAB version 4 and 5 (.MAT)
- WebM video (.WEBM)
- WebP images (.WEBP)
- XZ compression
Features new in 8.0.0
- The 64 bit version of Unpacker for SEG 8.0 and above has
been re-versioned to 8.X.
- Additional types recognized
- Microsoft Visio 2013 (.VSDX)
- PEM encoded certificates and RSA Keys (.PEM)
Features new in 7.14.1
- Additional types recognized
- Apple Binary Property List (.PLIST)
Features new in 7.14.0
- Additional types recognized
- Apple iWork Archive (.IWA)
- QuickBooks Backup (.QBB)
- vCard (.VCF)
- Windows Script File (.WSF)
Features new in 7.13.3
- Additional types recognized
- Autocad Plotting Support (.CTB)
- Clarion TopSpeed (.TPS)
- dBASE/Xbase files (.DBF)
- Encore Music Notation (.ENC)
- Event Log XML (.EVTX)
- Independent Color Matching Profile (.ICM)
- Installshield Cabinet (.CAB)
- Microsoft Access 2007 Database (.ACCDB)
- Open Document Text Layout-cache (internal to
ODT files)
Features new in 7.13.0
- Additional types recognized
- Egress Switch (.SWITCH)
- StereoLithography (.STL)
- Redhat Package Manager (.RPM)
- Debian package (.DEB)
-
Improved recognition of PDF and invalid PDF types.
Release History
The following items have been changed or updated in the
specific build versions of FileType
listed.
8.2.1 (January 15, 2019)
FT-134 |
Shapefile (SHP) and Shapefile Index (SHX) files are
recognized. |
FT-153 |
QuickBooks Company files (QBW) are recognized. |
FT-160 |
VBScript files were recognized as JavaScript. Fixed:
VBScript (VBS) is added as a separate type. |
FT-181 |
MSI and CAB files are included in the Executable group as
well as the Archive group. |
FT-182 |
7zip files are not checked for encryption at the partial
download stage. |
FT-231 |
Encrypted PowerPoint 2003 files are recognized. |
8.2.0 (December 6, 2018)
This release is provided in the installation package of SEG 8.2.0 and 8.2.1.
FT-127 |
XML files are recognized by type. |
FT-186 |
PEM encoded certificates have been moved from the
"Encrypted" group to the "Other" group because the
certificates are not encrypted content. |
FT-192 |
OCSP response files are recognized. |
FT-194 |
MSIX response files are recognized. |
FT-210 |
Larger CRL files are recognized. |
FT-220 |
Detection of Excel and PowerPoint documents with IRM has
been updated for Azure RMS. |
FT-222 |
Password protected Office documents with IRM are recognized. |
FT-225 |
Zip64 files are recognized. |
8.1.0 (June 27, 2018)
This release is identical in functionality to release 8.0.3. It is provided for SEG 8.1.
8.0.3 (March 29, 2018)
FT-175 |
HTTP capture files could be incorrectly identified as MAIL.
Fixed. |
FT-176 |
Checking of 7Zip archives for password protection did not
properly close all file handles. Fixed. |
8.0.2 (March 6, 2018)
FT-173 |
Checking of 7Zip archives could time out for larger or more
complex files. Fixed. |
8.0.1 (January 30, 2018)
FT-11 |
Encrypted 7Zip archives are recognized separately from
archives that cannot be opened for other reasons such as
malformed or corrupt files. |
FT-133 |
Python compiled files (.PYC) are recognized. |
FT-135 |
Extended Media Descriptor files (.MDX, logged as "MDXMedia") are recognized. |
FT-141 |
MATLAB version 4 and 5 files (.MAT) are recognized. |
FT-146 |
WebM video format (.WEBM) is recognized. |
FT-147 |
WebP images (.WEBP) are recognized. |
FT-150 |
XZ compressed files are recognized. |
FT-163 |
dBase Memo Field Files (.DBT) and Multiple Index Files
(.MDX, logged as "MDXdBase") are recognized. |
8.0.0 (July 18, 2017)
FT-75 |
PEM encoded certificates and RSA Keys (.PEM) are recognized. |
FT-154 |
Microsoft Visio 2013 files (.VSDX) are recognized. |
FT-156 |
Additional variants of Zip archives are recognized. |
FT-157 |
A file containing a symbolic link to itself caused an error
in file type processing. Fixed. |
FT-158 |
Regular expression matching for vCard identification could
cause the Engine to stop in rare cases. Fixed. |
7.14.1 (March 28, 2017)
FT-98 |
Recognition of Encapsulated PostScript (EPS) files is
improved. |
FT-132 |
Apple Binary Property List files (.PLIST) are
recognized. |
7.14.0 (December 15, 2016)
FT-131 |
Apple iWork Archive files (.IWA) are recognized. |
FT-142 |
RAR 5.0 archives are recognized as RAR type. |
FT-143 |
vCard files (.VCF) are recognized, including new variants
that use B64 encoded sections. |
FT-148 |
Windows Script Files (.WSF) are recognized. |
FT-149 |
QuickBooks Backup files (.QBB) are recognized. |
FT-151 |
The eicar.com virus test string was typed as COM instead of
TEXT. Fixed. |
7.13.5 (April 5, 2016)
FT-140 |
Password protected Excel files might not be detected if the
OLE stream name was not as expected. Fixed. |
FT-139 |
Some Office 2003 documents were detected as type OLE instead
of DOC, affecting unpacking and other detection. Fixed. |
7.13.4 (March 3, 2016)
FT-138 |
Detection of Document Data/ActiveMime (MSO) content is
improved. |
7.13.3 (February 4, 2016)
FT-39 |
dBASE/Xbase files (.DBF) are recognized. |
FT-82 |
Installshield Cabinet (.CAB) files are recognized. |
FT-92 |
Independent Color Matching Profile (.ICM) files are
recognized. |
FT-93 |
Autocad Plotting Support (.CTB) files are recognized. |
FT-94 |
Clarion TopSpeed (.TPS) files are recognized. |
FT-108 |
Microsoft Access 2007 Database (.ACCDB) files are
recognized. |
FT-115 |
Event Log XML (.EVTX) files are recognized. |
FT-122 |
Open Document Text Layout-cache (ODTCache, unpacked from
ODT files) is recognized. |
FT-136 |
Encore Music Notation (.ENC) files are recognized. |
UNPACK-45 |
Binary objects unpacked from Microsoft CHM files are
recognized as "CHM Binary Object". |
7.13.2 (November 24, 2015)
FT-129 |
Password protected Excel workbooks (.XLS) were not correctly handled.
Fixed. |
7.13.1 (November 12, 2015)
FT-125 |
Certain DOCX files created by non MS Office applications
were not recognized because they do not contain a docprops
file. |
FT-128 |
Password protected Excel files were not correctly handled.
Fixed. |
7.13.0 (November 4, 2015)
FT-76 |
Egress Switch files (SWITCH) are recognized. |
FT-104 |
ActiveX Binary objects in Word and Excel documents (ActiveXObject)
are recognized. |
FT-112 |
StereoLithography files (STL) are recognized. |
FT-113 |
PDF type checking is moved after other document types to
reduce false positives. |
FT-114 |
Some components were not correctly identified as mail
components if they contained only header data and no body.
Fixed. |
FT-119 |
Redhat Package Manager files (RPM) are recognized. |
FT-120 |
Debian package files (DEB) are recognized. |
FT-121 |
Suspect PDF files are better recognized as "invalid PDF". |
7.12.1 (May 3, 2015)
FT-111 |
Encrypted PDF files were incorrectly detected as BIN. |
Changes prior to version 7.12 were mentioned in the Trustwave SEG or
Trustwave ECM Release Notes.
Legal Notice
Copyright ©
2019
Trustwave Holdings, Inc.
All rights reserved. This document is protected by copyright and any
distribution, reproduction, copying, or decompilation is strictly prohibited
without the prior written consent of Trustwave. No part of this document may be
reproduced in any form or by any means without the prior written authorization
of Trustwave. While every precaution has been taken in the preparation of this
document, Trustwave assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
While the authors have used their best efforts in preparing this document,
they make no representation or warranties with respect to the accuracy or
completeness of the contents of this document and specifically disclaim any
implied warranties of merchantability or fitness for a particular purpose. No
warranty may be created or extended by sales representatives or written sales
materials. The advice and strategies contained herein may not be suitable for
your situation. You should consult with a professional where appropriate.
Neither the author nor Trustwave shall be liable for any loss of profit or any
commercial damages, including but not limited to direct, indirect, special,
incidental, consequential, or other damages.
Trademarks
Trustwave and the Trustwave logo are trademarks of Trustwave. Such trademarks
shall not be used, copied, or disseminated in any manner without the prior
written permission of Trustwave.
About Trustwave®
Trustwave helps businesses fight cybercrime,
protect data and reduce security risk. With cloud and managed security services,
integrated technologies and a team of security experts, ethical hackers and
researchers, Trustwave enables businesses to transform the way they manage their
information security and compliance programs. More than three million businesses
are enrolled in the Trustwave TrustKeeper® cloud platform, through which
Trustwave delivers automated, efficient and cost-effective threat, vulnerability
and compliance management. Trustwave is headquartered in Chicago, with customers
in 96 countries. For more information about Trustwave, visit https://www.trustwave.com.